Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453607
To read all comments associated with this story, please click here.
Member since:

If you are scared or concerned about this article and what may be in Open Source software, you must read this, and think about its ramifications:

A well known story, but not as easy to pull off as you might think. The original relies on special code in the compiler binary which a) recognises when it's compiling itself (to re-inject the special code), and b) recognises when it's compiling the login program (to implant the back-door).

Thing is, this *does* rely on that code being terribly clever. To work reliably, the compiler not only must recognise itself, but must also recognise future versions of itself. It needs to handle cross-compilation, e.g an x86 compiler producing an x86_64 target. And it needs to recognise when it's compiling other compilers, e.g gcc compiling Clang/LLVM or visa-versa. It also needs to contain no bugs, lest it attract attention when it goes wrong.

Now, how many people do you think there are who could write code that clever to start with, *and* do so in such a way that it would never be noticed by any of the other smart people.

Reply Parent Score: 2